Crypto weaknesses in WhatsApp “the kind of stuff the NSA would love”

Poor implementation of SSL encryption could be a boon to eavesdroppers.

WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.

Put a pin in it

WhatsApp has also failed to implement a technique known as certificate pinning that's designed to block attacks using forged certificates to bypass Web encryption. Pinning allows an app to work only when communicating with a server using a specific certificate. Because the certificate fingerprint is hardcoded into the app, it will reject connections with any impostor certificates—even if they're signed by one of the 500 or so authorities trusted by major browsers and operating systems.

Over the past few years, pinning has become increasingly common in apps developed by companies like Twitter, Facebook and Google. Certificate pinning in Chrome was the canary that revealed a fraudulent certificate (signed by then-trusted authority DigiNotar) being used to bypass the encryption protecting some Gmail users. Given the more than $19 million WhatsApp has received to date from venture capitalists, it's surprising developers didn't plunk some of that money into adding this useful feature.

Praetorian also notes two other WhatsApp SSL deficiencies: the use of SSL null ciphers and the enabling of SSL export ciphers. Both weaknesses make it easier for attackers to bypass encryption as traffic passes between a mobile phone and back-end servers.

"This is the kind of stuff the NSA would love," Praetorian's Paul Jauregui wrote. "It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk."

This is not the first time WhatsApp has been called out for security weaknesses. In October, a computer science student at Utrecht University in the Netherlands documented a critical encryption flaw that made it possible for adversaries to decrypt communications sent with WhatsApp. Given Facebook's track record in locking down apps and servers, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code to fix these kinds of vulnerabilities.

The usual use case for certificate pinning is that the client stores the first valid certificate it sees and then complains if that changes.

If you are going to hard code a particular certificate, then you aren't using the SSL/TLS hierarchy of trust model at all, and given that you control the client and the server, you probably don't really need the negotiated handshake either. Sounds like kind of a weak case for TLS at all, except for the fact that it's standard over HTTP.

Given Facebook's track record, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code in order to fix these kinds of vulnerabilities.

Wow, I really can't tell if that was meant as sarcasm.

I have very little confidence in Facebook's general coding practices and development processes, based on the frequent changes, broken functionality, and privacy loopholes they had during the time I used it. Are their crypto-related security practices really much better? That seems very unlikely given my experience in the software industry.

If it's the kind of stuff the NSA would love, I see no reason why FB wouldn't love it also.

They're kicking themselves now, because they could have gotten all those users' data for free.

I agree to some extent, the thing is that they dont only need the data, the users as well, in reality they need both, one without the other is useless. Facebook need that dolar for every user to recoup some of the money in the in the mid -long term window.

Given Facebook's track record, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code in order to fix these kinds of vulnerabilities.

Wow, I really can't tell if that was meant as sarcasm.

I have very little confidence in Facebook's general coding practices and development processes, based on the frequent changes, broken functionality, and privacy loopholes they had during the time I used it. Are their crypto-related security practices really much better? That seems very unlikely given my experience in the software industry.

No, I wasn't being sarcastic. Facebook's security team is one of the better ones I've come across, up there with those of Google and Twitter in terms of secure coding and strong crypto implementations of their websites and apps. All three teams do a reasonably good job of monitoring their internal and production networks for attacks and responding to them in a timely manner when something goes wrong. I have no doubt Facebook developers will put both the WhatsApp client and its back-end code through a thorough security audit and fix this kind of stuff.

As an aside, please note that I avoid sarcasm whenever possible because I think it's degrades effective communication.

As an aside, please note that I avoid sarcasm whenever possible because I think it's degrades effective communication.

Then you're doing it wrong. (Not sarcasm)

I think sarcasm degrades effective communication in at least two ways. First, people often don't know if I'm being sarcastic or literal. That creates ambiguity. Second, the goal of most sarcasm is to passively criticize, offend or retaliate. It often puts one or more people on the defensive. That, in turn, touches off personal attacks that do more to increase noise than signal of a conversation. I realize other people may take a different approach to sarcasm, but this is the one I've adopted, and it mostly serves me well, especially in environments such as Ars.

Given Facebook's track record, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code in order to fix these kinds of vulnerabilities.

Wow, I really can't tell if that was meant as sarcasm.

I have very little confidence in Facebook's general coding practices and development processes, based on the frequent changes, broken functionality, and privacy loopholes they had during the time I used it. Are their crypto-related security practices really much better? That seems very unlikely given my experience in the software industry.

No, I wasn't being sarcastic. Facebook's security team is one of the better ones I've come across, up there with those of Google and Twitter in terms of secure coding and strong crypto implementations of their websites and apps. All three teams do a reasonably good job of monitoring their internal and production networks for attacks and responding to them in a timely manner when something goes wrong. I have no doubt Facebook developers will put both the WhatsApp client and its back-end code through a thorough security audit and fix this kind of stuff.

As an aside, please note that I avoid sarcasm whenever possible because I think it's degrades effective communication.

Much appreciated. I guess the dichotomy between their security and their other development processes was just hard for me to comprehend or believe. I think it shows how much they devalue privacy in general if they can do website security well but other aspects of their services are full of holes.

EDIT: On the other hand, WhatsApp seems to have the opposite problem, so now I wonder which way the balance will shift.

At a price of however many Billion with a Capital 'B', I would expect this deal to kind of crawl to a stop due to the critical nature of this flaw. Due diligence on behalf of investors is, I would think, of prime importance here especially if the users abandon WhatsApp. I would be extremely cautious using it as the perception is that the thing is cracked wide open.

WhatsApp does not collect names, emails, addresses or other contact information from its users’ mobile address book or contact lists other than mobile phone numbers—the WhatsApp mobile application will associate whatever name the WhatsApp user has assigned to the mobile telephone number in his/her mobile address book or contact list — and this occurs dynamically on the mobile device itself and not on WhatsApp’s servers and is not transmitted to WhatsApp. This means that if you have your friend’s mobile phone number associated with the name “Shakespeare” in your mobile address book, that’s the name that will appear for that mobile phone number in your WhatsApp contact list. We do not collect location data, but users may voluntarily share their location with other users via the WhatsApp Service.

The contents of messages that have been delivered by the WhatsApp Service are not copied, kept or archived by WhatsApp in the normal course of business. The WhatsApp Service is meant to be a SMS replacement, using data service through a user’s phone (either via cell network or wifi). Users type their messages, which are sent via data service to our servers, and routed to the intended recipient (who must also be a WhatsApp user), if that recipient is online. If the recipient is not online, the undelivered message is held in WhatsApp’s server until it can be delivered. If the message is undelivered for thirty (30) days, the undelivered message is deleted from our servers. Once a message has been delivered, it no longer resides on our servers. The contents of any delivered messages are not kept or retained by WhatsApp — the only records of the content of any delivered messages reside directly on the sender’s and recipient’s mobile devices (and which may be deleted at the user’s option). Notwithstanding the above, WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect. Files that are sent through the WhatsApp Service will reside on our servers after delivery for a short period of time, but are deleted and stripped of any identifiable information within a short period of time in accordance with our general retention policies.

Given WhatsApp's previous responses to news that its security is effectively Swiss cheese, I'm somewhat less than shocked. Facebook has nowhere to go but up, and hopefully the "security" team at WhatsApp (if one exists) will be shown the door before being given the opportunity to screw up anything else.

At a price of however many Billion with a Capital 'B', I would expect this deal to kind of crawl to a stop due to the critical nature of this flaw. Due diligence on behalf of investors is, I would think, of prime importance here especially if the users abandon WhatsApp. I would be extremely cautious using it as the perception is that the thing is cracked wide open.

I don't think Zuckerberg knows what due diligence is, and he probably already signed off the option to have one. I say that based on what we saw with Instragram.

Given Facebook's track record, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code in order to fix these kinds of vulnerabilities.

Wow, I really can't tell if that was meant as sarcasm.

I have very little confidence in Facebook's general coding practices and development processes, based on the frequent changes, broken functionality, and privacy loopholes they had during the time I used it. Are their crypto-related security practices really much better? That seems very unlikely given my experience in the software industry.

No, I wasn't being sarcastic. Facebook's security team is one of the better ones I've come across, up there with those of Google and Twitter in terms of secure coding and strong crypto implementations of their websites and apps. All three teams do a reasonably good job of monitoring their internal and production networks for attacks and responding to them in a timely manner when something goes wrong. I have no doubt Facebook developers will put both the WhatsApp client and its back-end code through a thorough security audit and fix this kind of stuff.

As an aside, please note that I avoid sarcasm whenever possible because I think it's degrades effective communication.

I actually have to second this. For all of the data gathering Facebook does, it's really handed to them on a silver platter and we say thank you sir may I have another while they monetize it. I cannot recall a Facebook data beach in recent memory.

...his service would defiantly not carry advertising, an experience satisfyingly absent from his Soviet upbringing; it would not store messages and thus imperil individual citizens' privacy...

From TheRegister.co.uk

Quote:

When it was discovered the same key was used to encrypt all messages in a conversation, so the contents could be fairly easily decrypted, CEO Jan Koum brushed away reporters with the comment: "We have a company to run. Back to work."

All the more reason to go with Blackberry Messenger. The BBM app for Android and iPhone uses a SIP connection over a TLS (encryption) transport.

BBM is without a doubt better and what BBM and others did first is what Whatsapp coppied. Before praising one for security over the other, get to know that security. Blackberry holds the keys to BBM's encryped chat and is willing to hand them over to the government when it makes it's case right. If you're looking for real security look elsewhere.

My Nexus was stolen and I've been wondering in the wasteland of Windows Phone 7 without the final update as my carrier blocked it, so unfortunately I've nothing to recommend in it's place.

I'm looking forward to hearing about Blackphone at Mobile World Conference next week. The os will be a fork of Android focused on privacy PrivatOS.

At a price of however many Billion with a Capital 'B', I would expect this deal to kind of crawl to a stop due to the critical nature of this flaw. Due diligence on behalf of investors is, I would think, of prime importance here especially if the users abandon WhatsApp. I would be extremely cautious using it as the perception is that the thing is cracked wide open.

You, Facebook just paid $19 billion for an app that didn't do anything that someone else wasn't doing and possibly doing better elsewhere. After spending $19 billion do you care if you need to spend $1-10 million rewriting the code base from scratch? Facebook likely purchased them on their user numbers, their growth and access to users phone books, either now or in the future. The average user won't even know security was a topic of discussion.

I've never used WhatsApp but was thinking about giving it a go a few weeks ago. Now that Facebook owns it, I will never touch it. I got rid of FB in 2009 and haven't missed much, not that I got that much out of it to begin with. I'd bash Facebook more, but I do tweet so I'd come off as a huge hypocrite if I did.

All the more reason to go with Blackberry Messenger. The BBM app for Android and iPhone uses a SIP connection over a TLS (encryption) transport.

BBM is without a doubt better and what BBM and others did first is what Whatsapp coppied. Before praising one for security over the other, get to know that security. Blackberry holds the keys to BBM's encryped chat and is willing to hand them over to the government when it makes it's case right. If you're looking for real security look elsewhere.

My Nexus was stolen and I've been wondering in the wasteland of Windows Phone 7 without the final update as my carrier blocked it, so unfortunately I've nothing to recommend in it's place.

I'm looking forward to hearing about Blackphone at Mobile World Conference next week. The os will be a fork of Android focused on privacy PrivatOS.

I think Blackberry with all its defense contracts, software experts and QNX would have been cheaper to buy.

I'm getting real sick and tired of these companies with BILLIONS of dollars in valuation not taking ten minutes to hire a security professional who actually knows what in the hell they're doing.

I have pretty much dropped out of the software market the last year because of design insecurities. I'll just keep plugging away on my safe system I know well, instead of taking a flyer on some piece of crap that doesn't really take my safety and security interests seriously.

Given Facebook's track record, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code in order to fix these kinds of vulnerabilities.

Wow, I really can't tell if that was meant as sarcasm.

I have very little confidence in Facebook's general coding practices and development processes, based on the frequent changes, broken functionality, and privacy loopholes they had during the time I used it. Are their crypto-related security practices really much better? That seems very unlikely given my experience in the software industry.

No, I wasn't being sarcastic. Facebook's security team is one of the better ones I've come across, up there with those of Google and Twitter in terms of secure coding and strong crypto implementations of their websites and apps. All three teams do a reasonably good job of monitoring their internal and production networks for attacks and responding to them in a timely manner when something goes wrong. I have no doubt Facebook developers will put both the WhatsApp client and its back-end code through a thorough security audit and fix this kind of stuff.

As an aside, please note that I avoid sarcasm whenever possible because I think it's degrades effective communication.

I don't doubt that their team is very good. The question here is are they actually being allowed to do their job.After all MS probably has some very bright security guys but the first thing they did with skype was to allow for full monitoring and listening in on anything going on.

All the more reason to go with Blackberry Messenger. The BBM app for Android and iPhone uses a SIP connection over a TLS (encryption) transport.

BBM is without a doubt better and what BBM and others did first is what Whatsapp coppied. Before praising one for security over the other, get to know that security. Blackberry holds the keys to BBM's encryped chat and is willing to hand them over to the government when it makes it's case right. If you're looking for real security look elsewhere.

My Nexus was stolen and I've been wondering in the wasteland of Windows Phone 7 without the final update as my carrier blocked it, so unfortunately I've nothing to recommend in it's place.

I'm looking forward to hearing about Blackphone at Mobile World Conference next week. The os will be a fork of Android focused on privacy PrivatOS.

At a price of however many Billion with a Capital 'B', I would expect this deal to kind of crawl to a stop due to the critical nature of this flaw. Due diligence on behalf of investors is, I would think, of prime importance here especially if the users abandon WhatsApp. I would be extremely cautious using it as the perception is that the thing is cracked wide open.

You, Facebook just paid $19 billion for an app that didn't do anything that someone else wasn't doing and possibly doing better elsewhere. After spending $19 billion do you care if you need to spend $1-10 million rewriting the code base from scratch? Facebook likely purchased them on their user numbers, their growth and access to users phone books, either now or in the future. The average user won't even know security was a topic of discussion.

Edited to add second comment without a doublepost.

I've heard good things about Telegram on Android and iOS (in light of FB buyout I was looking to replace WA anyway) and there seems to be some alpha and beta version apps for windows phone which use the Telegram communication protocol but aren't full featured enough to be blessed as official apps yet. Might be worth a look.

Given Facebook's track record, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code in order to fix these kinds of vulnerabilities.

Wow, I really can't tell if that was meant as sarcasm.

I have very little confidence in Facebook's general coding practices and development processes, based on the frequent changes, broken functionality, and privacy loopholes they had during the time I used it. Are their crypto-related security practices really much better? That seems very unlikely given my experience in the software industry.

No, I wasn't being sarcastic. Facebook's security team is one of the better ones I've come across, up there with those of Google and Twitter in terms of secure coding and strong crypto implementations of their websites and apps. All three teams do a reasonably good job of monitoring their internal and production networks for attacks and responding to them in a timely manner when something goes wrong. I have no doubt Facebook developers will put both the WhatsApp client and its back-end code through a thorough security audit and fix this kind of stuff.

As an aside, please note that I avoid sarcasm whenever possible because I think it's degrades effective communication.

I suppose when it comes right down to it, accidental privacy violations cannot be effectively monetized*. So it makes sense to ensure that all privacy violations are deliberate.

( *Although security flaws can be monetized, as Oracle demonstrates every time they try to sneak McAfee junk onto your system during a patch. So maybe Facebook is overlooking a trick here.)

The usual use case for certificate pinning is that the client stores the first valid certificate it sees and then complains if that changes.

If you are going to hard code a particular certificate, then you aren't using the SSL/TLS hierarchy of trust model at all, and given that you control the client and the server, you probably don't really need the negotiated handshake either. Sounds like kind of a weak case for TLS at all, except for the fact that it's standard over HTTP.

Is that the usual use case? I think Chrome and EMET hard code the CAs that are allowed to sign the certs, but don't hard code the certs.